Impersonating only works if both users have the same password #162
Comments
|
Hello, Same problem but since I used the "auth.session" middleware. If you use only "auth" middleware then no problem appears. |
|
Same problem here, and I'm using sanctum ... any workaround ? |
|
@adantart I got it working by removing the password from the session when leaving the impersonation, haven't got any problems but still use with caution: Add a new Session guard: <?php
namespace App\Auth;
class SessionGuard extends \Lab404\Impersonate\Guard\SessionGuard
{
/**
* @inheritDoc
*/
public function quietLogout()
{
parent::quietLogout();
foreach (array_keys(config('auth.guards')) as $guard) {
$this->session->remove('password_hash_' . $guard);
}
}
}Use the new Session guard in AuthServiceProvider (should already exist): class AuthServiceProvider extends ServiceProvider
{
public function boot()
{
/** @var AuthManager $auth */
$auth = $this->app['auth'];
$auth->extend(
'session',
function (Application $app, $name, array $config) use ($auth) {
$provider = $auth->createUserProvider($config['provider']);
return new \App\Auth\SessionGuard($name, $provider, $app['session.store']);
});
}
} |
|
@Arne1303 Interested to make a PR? |
|
@MarceauKa Sure! Should be there by Monday |
|
Hi @MarceauKa When do you think this PR will be merged? :) |
|
@adantart Looks like you importer the wrong Application class, you need to change the imposer or if it is used somewhere else specify it just for that function. You can also remove the type hint completely, that one works 2. |
|
I don't understand ... |
|
Ok, I noticed the Application namespace ... and I added |
|
Ok, I tested it , but it stills logs out when I "leave impersonation" |
|
Ok, working !!! But I had to use my leave-impersionation method (I mean, not using the route('impersonate.leave') provided by the library, and put it in a "non admin middleware" scope, if not the "impersonate user" had no access to the method. But yes, now it's working ... in a certain way ... :-P |
|
@adantart can you share your code please? @Arne1303 can you please assist? I have create the directory App\Auth with file SessionGuard.php `<?php namespace App\Auth; class SessionGuard extends \Lab404\Impersonate\Guard\SessionGuard }` My AuthServiceProvider looks like : `public function boot() Route Route::middleware(['auth:sanctum','verified','authadmin'])->group(function(){ |
|
@writehow Can you check if youre custom SessionGuard is being used? My first guess would be cache, try If it still doenst work I created a PR (#163) which does replace the password hashes with the ones from the new user instead of scrubing them of, you could try to adapt that one |
|
@Arne1303 Thank you for the quick reply ! |
|
I have the same issue with the side effect. I also found another side effect. Stopping impersonation now logs the user out completely instead of returning to the original user. |
|
@adantart @mrpritchett I've used slightly different code in my pr #163 can you check if the side effects are also present there? |
|
You mean this patch, right ? |
|
Yes, there are 2 versions, one is further up in this comment thread and one is the patch submitted, which one did you use? |
|
I'm still getting logged out with that PR when I try to leave impersonation. |
|
Sorry for taking so long to answer :-P So ... @Arne1303 ... the last one works. SUMMARY: In your first solution (#162 (comment)) your modifications involved
As I said, this patched the problem, but affected to the events of Auth, since they were not triggered properly. In your second solution (a306583) your modifications involved:
This second solution is cleaner than the first one ;-) and also allow Auth events to be triggered. For example I had this in my EventServiceProvider: since I do some stuff when Login, Logout, ... are performed. Now they are working well, and impersonation works perfectly although users have same or different password. THANK YOU ! |
|
@Arne1303 - I'm still seeing a log out when leaving impersonation. |
|
The error has "arrived" again after some update in the last week :-( |
|
@adantart I can confirm this issue is still unresolved for me as well. |
Weird thing here is that it was "fixed" for me, until a week ago or so ... maybe an update :-( |
|
I am getting this issue as well, impersonating a user logs the user out, Laravel 10.10.1 Jetstream/Fortify |
public function boot()
{
// Build out the impersonation event listeners - Otherwise we get a redirect to login if not setting the password_hash_sanctum when using sanctum.
Event::listen(function (TakeImpersonation $event) {
session()->put([
'password_hash_sanctum' => $event->impersonated->getAuthPassword(),
]);
});
Event::listen(function (LeaveImpersonation $event) {
session()->remove('password_hash_web');
session()->put([
'password_hash_sanctum' => $event->impersonator->getAuthPassword(),
]);
Auth::setUser($event->impersonator);
});
}
```
Try the above in the EventServiceProvider |
Thanks - yes that works just fine! :) |
|
Great! |
|
This worked, but it may bear pointing out one has to add the required use declarations to the top of Otherwise, it fails //silently//. |
Unfortunately this does not work for me using Laravel 10.18 and PHP 8.2.4 Edit: From this page https://laracasts.com/discuss/channels/laravel/jetstream-login-as-user?page=1&replyId=779264 |
Perfect! Thank you so much! |
|
Unfortunately, none of the above comments helped me. After I updated my EventServiceProvider.php with the following, however, the issue disappeared. |
I am using auth:web middleware and this is what worked for me for EventServiceProvider Note that both |
This worked for me to resolve this issue. |
|
this might help Event::listen(function (TakeImpersonation $event) {
session()->put([
'password_hash_'.Auth::getDefaultDriver() => $event->impersonated->getAuthPassword(),
]);
});
Event::listen(function (LeaveImpersonation $event) {
session()->remove('password_hash_'.Auth::getDefaultDriver());
session()->put([
'password_hash_'.Auth::getDefaultDriver() => $event->impersonator->getAuthPassword(),
]);
Auth::setUser($event->impersonator);
});that mirrors whats going on in UpdatePasswordForm for Jetstream. |
Using
laravel/framework: 9.17
We've been using the package for quite a while without problems but it looks like it broke in a recent dependency update.
When initiating an impersonation (using the route defined in Route::impersonate()) the user gets logged out and redirected to login, the impersonation does however work if both users (the impersonating and the one being impersonated) have the same password.
Does someone else also experience this behavior/is there a known workaround?
Thanks!
The text was updated successfully, but these errors were encountered: